CyberWire Daily - CyberWire commentary: Ukraine one year on. [Special Edition]
Episode Date: March 3, 2023CyberWire Daily podcast host Dave Bittner is joined by CyberWire editor John Petrik for an extended discussion about the Russian invasion of Ukraine and its effect on cybersecurity at the one year ann...iversary. John and his team have covered the Ukrainian conflict with daily news stories since the invasion began, and in fact, had quite a lot of coverage prior to the invasion. They take stock of where things stand, what has happened, and what we expected versus reality. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more. Welcome to this CyberWire special edition,
marking the one-year anniversary of Russia's war against Ukraine
and its effect on cybersecurity.
As the war has raged on, it's had major impacts on cybersecurity,
both in Ukraine and around the world. Joining me is our CyberWire editor and senior writer,
John Petrick. Stay with us. It is my pleasure to welcome to the show John Petrick. He is the CyberWire's editor and senior writer.
John, welcome back.
It's good to be here, Dave. Thanks.
So as we are recording this, it is just past the one-year anniversary of Russia's invasion of Ukraine.
And I wanted to take this opportunity to kind of take stock with you.
What happened, where we stand, what we expected to happen versus the reality,
all those sorts of things.
Can we start off with just the big picture?
Where do things stand today, particularly looking at the cyber angle of this war against
Ukraine?
Sure.
The big surprise that I think has taken everybody by surprise has been the Russian failure to
end this war quickly.
That it was widely believed when they crossed the border a year ago that the war would be over in a matter of days or at most weeks.
That the Russian advantages in preparation and in manpower
and in equipment were regarded as being so dominant
that Ukraine would have little chance.
Some of that's a matter of mistaken perspective
that Ukraine is not a tiny country. Ukraine is about the size of Texas in area. It's got a
sizable population. So this is not a small place. This is not like Russia invading Luxembourg.
Okay. So Ukraine itself is big and while not nearly as big as Russia, still disposes of a fair number of resources. So the Ukrainians had more capability than they were generally given credit for.
Russian combat performance, and I think there's no other way to describe it than that way.
Their equipment hasn't functioned as designed. They haven't been able to maneuver effectively.
They haven't been able to combine their arms. Combined arms means integrating tanks, infantry,
artillery, air, cyber, other forms of electronic warfare into a single operation where they support each other.
They haven't been able to do that.
They haven't shown an ability to maneuver in particular.
The Army is pretty clearly roadbound from the video you see.
They have a tough time moving off the road,
probably because they have difficulty not getting lost
because they're not accustomed to moving off the roads.
And with that kind of force, you're not going to be able to take and hold ground.
And in fact, they've lost a great deal of the ground they took in those initial days.
And the Ukrainians have continued to apply pressure to them, pushing them back throughout.
So that's been the big surprise.
Almost on a daily basis, we're talking about on our podcast
how the cyber aspects have not lived up to the expectations.
What do you make of that?
I think that there was a lot of inflated hype about cyber activity.
How many times have you heard people talk about the possibility of a cyber Pearl Harbor?
There's a bolt from a blue that's going to suddenly turn the lights off across an entire continent.
And we've seen smaller destructive attacks work.
We've seen it twice in Ukraine in 2015, 2016.
There were Russian attacks that did, in fact, take down for a period of several hours,
a number of hours, sections of the Ukrainian power grid.
So the idea was, well, if this is just staging, if this is just training, if this is just preparation,
how much worse would it get when they actually went to war?
In fact, it's harder to do that than one might expect,
and it's easy to misread things,
to think that there are capabilities that in fact don't exist
because offensive cyber is just more difficult than it appears to be.
Do you remember the appearance of the Mirai botnet?
Sure.
That came out during a week when the NATO Cyber Center of Excellence
was having meetings down in Washington,
was holding a conference in Washington, D.C.,
and there were well-informed, intelligent, high-ranking people there
talking about Mirai, and the consensus among them was that this thing
that's just come out over the last couple of days
is obviously a Russian proof of concept.
This is clearly an attempt by the Russian intelligence services
to test what they can do and show us what they can do.
Eventually, the FBI determined what was behind Mirai.
About a week or two later, who was behind Mirai?
It was a knucklehead undergraduate at Rutgers
who was trying to gain an advantage in selling things to Minecraft players.
Right.
So it wasn't that nefarious bolt from the blue that we'd been expecting.
So they haven't done that.
Have they had some successes?
Sure.
There were successful wiper attacks in the early days and weeks of the war
that destroyed some information on Ukrainian networks.
But those in and of themselves weren't the kinds of things that those networks couldn't recover from they
didn't have a significant operational impact did they take out the viasat ground station terminals
with cyber attack yeah they did they were able to deny a lot of viasat comic connectivity but
the viasat connectivity was quickly restored and replaced by Starlink connectivity.
So that hasn't been a factor since then.
Since that time, what we've seen have been continued attempts by Russian intelligence services,
some with some success, to attack Ukrainian networks in cyber espionage operations.
attack Ukrainian networks in cyber espionage operations.
CertUkraine just yesterday, for example, announced that they had detected a backdoor that the Russians had installed back actually quite a while ago in December of 2021.
And that backdoor has since been used to stage various forms of malware for collection purposes
in certain Ukrainian networks.
Now, CertUkraine thinks that they've got to contain,
that they didn't have any serious,
they didn't sustain any serious harm from that.
But the point is that there's still a capability there.
They're trying to do these things,
but that seems to be cyber espionage.
The more disruptive attacks that we've seen since then
have tended to be nuisance level attacks,
defacements, distributed denial of service attacks,
run by people who are best regarded as
cyber auxiliaries. That is people who are quasi private sector actors, patriotic activists who
are acting in the Russian interest and they are conducting DDoS attacks against, for example,
German airports or who are defacing websites. That's going on.
And then there's also the kind of privateering that we've seen for a long time.
This is not new.
This has been going on long before the war, that notoriously Russian cyber gangs have
been tolerated and have operated with the protection and a certain degree of recognition
by the state.
Do what you want. Go steal whatever you can from the Americans, from the Germans recognition by the state. You know, do what you want.
Go steal whatever you can from the Americans,
from the Germans, from the Japanese.
Steal what you can.
Just leave us alone and leave friendly countries alone.
If you keep your nose clean,
you don't go after anybody who's working with,
say, a Cyrillic keyboard, you're okay.
You're not going to get a knock on the door.
So have we seen continued ransomware attacks
by these groups?
Yeah, we have.
And those will continue to go on.
Are those nuisances?
Sure, they're nuisances,
but they're not war winners
and they're not coordinated
with other arms operations.
They're not even as well-coordinated
as conventional electronic warfare.
They're not even as well-coordinated
as jammers that might take down
a radio network,
tactical radio network.
Stick around. There's more to our conversation after this.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating.
Too icy. We could book a vacation. Too sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
From the point of view of the global community, how does this experience inform the future of cyber war? What are other nations watching, taking away from this?
I think they're learning that offense is difficult and defense is possible.
I think that's the big lesson. I think that many of the lessons being learned are probably lessons
that we're not going to be aware of. I'm sure there are things that are being learned and
thought about that certainly haven't broken out into the open source intelligence
world, that haven't broken out into the news. I think that the big lesson is a perennial lesson
that any effective military operation has to be a combined arms operation.
That if you're simply blasting away with artillery, you line your guns up hub to hub,
you're slamming away at poorly identified area targets. Your infantry is doing
something else. Your armor is off breaking track, trying to fix itself. And your jammers are either
not doing anything because nobody's tasked them or they're not hitting the right frequency. If
your cyber ops are not going after the right targets or they're not doing the right things,
they're not going to have any desired effect. They're not going to have good effect.
And I think that's a lesson that's being relearned all the time.
Yeah, I think there's this notion that cyber could be a force multiplier,
and it certainly seems in this instance that has not been the case.
Well, it can be.
There's no reason it can't be.
But a force multiplier is not in itself decisive.
That it's conventional to distinguish combat power from combat multipliers.
That combat power is something you can count on.
So what's combat power?
Tanks are combat power.
Infantry are combat power.
Guns are combat power.
A force multiplier is something that when you have it available to you, it will help you win.
It will help your operation, but you can't count on it for success.
So plan your operation as if it may or may not show up.
If the weather is bad enough, for example, the aircraft are not going to fly.
So aviation is commonly regarded, and I apologize in advance to any aviators listening to this,
commonly regarded, and I apologize in advance to any aviators listening to this, aviation is commonly regarded as being a force multiplier, not as direct combat power. I think cyber is a combat
multiplier. What do you use it for? You obviously use it for intelligence collection. That's obvious.
You can use it for, if you move out of that shadowy world into the more overt world,
if you view influence operations and information operations generally as cyber,
which I think is not an unreasonable thing to do, there's an important role for it there.
It's been interesting to watch the failure of Russian influence operations in this present war
because they had been pretty good at that in the past.
Remember all of the worries and
uproar over the Russians are meddling with the election and they're making people think this,
think that, and think the other thing. Sure. That wasn't crazy. You know, there was a degree of
hysteria to that, but it wasn't nuts to be worried about that. What were the Russians doing in that
case? Were they trying to push a particular viewpoint on anyone? Not really. They were trying to darken counsel. They were trying to confuse. If you look at the theorist of war,
Clausewitz, in his writings, Clausewitz argued that the thing that distinguished the idea of war
in the abstract from real war on the ground was what he called friction.
from real war on the ground was what he called friction.
And friction for Clausewitz is the kind of thing that causes a deviation from the ideal.
If you remember anything from your high school physics class,
what kinds of things did they always do
to teach you basic physics?
They would give a bunch of simplifying assumptions.
Assume a frictionless surface, they would say.
Right.
Things like that.
Forget about air resistance, that kind of thing.
All of that stuff is the complexity of the real world,
and that's what Clausewitz was thinking of.
So military friction is darkness.
It's bad weather.
It's mud.
It's mud that the guns get mired in.
It's a unit getting lost.
It's an order being misinterpreted.
It's somebody not understanding it. It's the guy who doesn't get the word. It's a unit getting lost. It's an order being misinterpreted. It's somebody not
understanding it. It's the guy who doesn't get the word. That's friction. If you want to look at
general approaches to the art of war, some armies tend to work by trying to minimize their own
friction. We want to minimize our own friction so that we can do what it is we want to do.
That's what we want to do. Other armies try to maximize the enemy's friction.
We want to gum it up for the enemy as much as possible.
In general terms, the American way of war
has tended to try to minimize its own friction.
The Russian way of war has tended to seek
to induce more friction in the adversary.
And Russian influence operations, I think, were most effective
when they were trying to induce friction, not when they were trying to persuade people
of some particular line. I think there are very, very few people who seriously think
that the positive Russian line on the war in Ukraine is true. I don't think anybody seriously believes, whether they're
sympathetic to Russia or not, that Ukraine is run by literal Nazis, okay? Literal, self-conscious,
institutional successors of the German Nazi party from the Second World War. Nobody thinks Ukraine
is being run by Nazis who are systematically trying to exterminate Russians and that Ukraine was serving as a staging point for a Nazi-led NATO offensive against Russia.
That's the Russian line. It's implausible. It doesn't work. So perhaps they should have stuck
to trying to confuse people. Now, much of that is for domestic consumption.
Yeah. There's an analogy that I've heard you use
to sort of relate it to game theory,
you know, the difference between poker and chess.
Can you hash that out for us?
I find it really fascinating.
If you look at both poker and chess,
they're both rational games.
They require intelligence and thought to play.
It's not like playing, I don't know,
take your big war.
Right.
Okay, or Indian to drop even lower.
The chess is a deterministic system.
It's fully deterministic.
Nothing happens by accident in a game of chess.
You can make mistakes, but there's nothing that's a matter of chance.
All the pieces are in the same place
at the beginning of the game.
The pieces are all in place.
The pieces have known capabilities and known potentials.
And you're responding to an adversary.
You might be surprised by what the adversary does
but nothing happens by accident.
It happens because somebody did it.
Poker, on the other hand, is a game that involves a great deal of chance.
It involves rational calculation of odds and probabilities.
It involves the ability to bluff.
It involves the ability to sense when your opponent is bluffing.
If you listen to Russian media and listen to the Russian speeches,
you will hear them commonly introduce their conclusions by saying things like, of course, or it is no accident that.
This is a chess player's way of looking at conflict. In the Western view, and in particularly
the American view, there's, I think, a much more vivid imaginative presence of the reality of
chance, that there are things that haven't happened because anybody has done them.
They've just happened.
And I think this is also manifested in the Russian willingness to look for a general
to sack when something is not going well.
Where do you suppose this is going to go?
I mean, we're a year in now.
Do we have another year in front of us? How do you think this is going to go? I mean, we're a year in now. Do we have another year in front of us?
How do you think this is going to play out?
It's hard to tell because so much depends upon things that are beyond our ability to predict.
It would be unwise to think that there would be a popular uprising that would depose President Putin, for example.
Is the war popular at home?
It's got some degree of popularity.
I mean, they have certainly been able to whip up enthusiasm
at well-organized, spontaneous demonstrations.
But on the other hand,
when Putin announced partial mobilization last fall,
about 300,000 men of military age got out of the country
before they could be taken.
That's about the amount that were targeted for mobilization and the amount that they did take in,
in that partial mobilization. So there's clearly some dissatisfaction, some disease
with thinking about the war. Will Ukraine continue to get supplied from the West? It probably will. They've been promised
a lot of equipment. A lot of equipment has been delivered. That equipment has generally
functioned pretty well. They've received a lot of cyber support, both from governments and from
the private sector. So Ukraine is in a pretty good position to be able to continue to defend itself.
Whether they'll be able to take the
offensive effectively against Russia on a large scale remains to be seen. And I would watch for
that as the weather improves a little bit over the next couple of months and as the new stocks of
ammunition and equipment arrive.
Thanks for joining us for this CyberWire special edition,
and special thanks to my colleague John Petrick for taking the time to lend his insights to the conversation. Thank you.